Software execution control system and software execution control program

ABSTRACT

It is possible to prevent unauthorized use of software such as a game program in download type software distribution for using a program and data by storing them in a user computer in advance. A user downloads (S 2 ) a game program ( 40 ) of new version (including an accompanying data group) and an execution program ( 50 ) from a distribution computer ( 10 ). The execution control program ( 50 ) performs authentication by online with an authentication computer ( 20 ) and acquires (S 3 , S 4 ) start information required for starting the game program ( 40 ). The execution control program ( 50 ) decodes the game program ( 40 ) according to the start information and starts it (S 5 ). When the user terminates the game by terminating the game program ( 40 ), the execution control program ( 50 ) deletes all or a part of the game program ( 40 ) so as to incapacitate it (S 6 ).

TECHNICAL FIELD

The present invention relates to a software execution control system and software execution control program for updating various types of application software such as game software, office software for creating documents and drawings and the like to software of newer versions, and for controlling the execution of such software.

TECHNICAL BACKGROUND

Generally, in the case of application software such as game software or the like that operates in user computers such as (for example) personal computers, portable information terminals or the like, a plurality of different versions are prepared according to various types of software execution environments such the OS (operating system), language use, hardware construction and the like, or according to whether or not there is any software cost, payment of a fee or the like.

For example, even in the case of the same software, different versions may be prepared according to the language that is used, e.g., as in an English language edition, Japanese language addition, Chinese language edition or the like. Furthermore, it is fairly common for a version that is provided free of cost and a version that is provided for a fee to be prepared, and for [the user] to be induced to upgrade from the free software to the software that is provided for a fee. Such free software is also called a “test edition” or “trial edition”, and the software that is provided for a fee is called the “product edition” or “complete edition”. Compared to software of the same type that is provided for a fee, free software usually shows a partial limitation of the functions or a restriction on the trial use period or number of times of trial use permitted. Users who recognize the value of the software as a result of such trial use of free software accomplish upgrading of the software version by purchasing the software that is provided for a fee from a web site that provides this software, and downloading the purchased software, or by purchasing packaged software for a fee at a retail outlet.

Meanwhile, since software is digital data and can easily be copied, and since such software is characterized by the fact that such copying causes almost no deterioration in the software, illegal copying and unauthorized use are major problems. Accordingly, it has conventionally been the practice to discriminate by means of user verification or the like between regular users who have purchased the software (software license) and illegal users who have not obtained such a license, and to take steps so that only regular users are allowed to use the software.

For instance, a technique is known in which a product ID that is printed on the software package or recording medium is input when the software is installed, and it is thus ascertained whether or not this software is a regularly purchased product (e.g., see Japanese Patent Application Laid-Open No. 2002-258963, paragraph 0003).

Furthermore, a technique is also known in which key data that is required in order to use the software is requested from a license management server installed on the internet, and the system is devised so that in cases where the user is confirmed as a regular user by user verification, the user can acquire this key data from the license management server, and can start and use the software by means of this key data (e.g., Japanese Patent Application Laid-Open No. 2002-6972, Japanese Patent Application Laid-Open No. 2002-297254).

Conventional techniques that discriminate whether or not a user is a regular user by inputting a product ID (product key) are protective mechanisms that merely input an ID consisting of simple characters or symbols at the time of installation, and are therefore easily circumvented. Accordingly, software that has only a protective mechanism (copyright protection mechanism) of this type cannot in fact exclude illegal copying and unauthorized use.

A technique in which user verification is performed with a license management server, and key data is transmitted to the user computer to start [the software] in case where a normal verification is made, shows an improved protective power compared to a technique in which a product ID is simply input. However, the software is already placed in a state that allows starting in the user computer, and the user must wait to acquire the key data. Accordingly, if the software that is in a key data waiting state is illegally copied, and the key data is obtained by some other method, the protective mechanism can be circumvented, and the software can be used.

Meanwhile, in recent years, as the processing capacity of computers has increased and communications networks have achieved higher speeds, methods have been proposed for executing desired software at the time desired by users. The streaming system and the downloading system are known as distribution systems that are suitable for such on-demand distribution of software.

In the case of the streaming system, the user computer simultaneously performs playback while receiving software from a server. Then, data that is unnecessary is immediately discarded after this playback is completed. Accordingly, in the streaming system, since no data remains at the point in time at which the inspection by the user is completed, the software cannot be illegally copied without using some special type of software or the like. However, in the case of the streaming system, the software data must be transmitted each time that the user desires to inspect the software; accordingly, even in cases where a broad-area, high-speed communications network is provided, the traffic on the communications network is increased, and the burden on the server is also increased, if numerous users desire streaming distribution at the same time.

In the case of the downloading system, on the other hand, software that is desired by a user is downloaded from a server and accumulated in the user computer, and this software is executed in the user computer; accordingly, the time for which the data is flowing through the communications network is short, and distribution requests from numerous users can be handled. In the case of the downloading system, however, software remains as downloaded in the user computer; accordingly, illegal copying and the like can be performed more easily than in the case of the streaming system.

Furthermore, for example, it is a widespread practice for game programs and the like to be placed in circulation in a form in which these programs are fixed on various types of recording media such as CD-ROMs, DVD-ROMs, hard disks, semiconductor memories and the like. In such cases as well, game programs and the like are improperly copied, protective mechanisms are improperly destroyed, and the programs are improperly used, as was described above.

DISCLOSURE OF THE INVENTION

Accordingly, it is one object of the present invention to provide a software execution control system and software execution control program which are devised so that this system and program can suppress the improper use of software.

[Furthermore,] it is one object of the present invention to provide a software execution control system and software execution control program which are devised so that in the case of a downloading system that stores and executes software in a user computer, illegal copying and unauthorized use can be prevented.

[Furthermore,] it is one object of the present invention to provide a software execution control system and software execution control program which are devised so that the improper use of software during execution can be prevented beforehand.

[Furthermore,] it is one object of the present invention to provide a software execution control system and software execution control program which can actively control the monitoring efficiency with respect to improper use while taking into account the load conditions and the like.

Other objects of the present invention will become clear from the description of embodiments given below.

The software execution control system of the present invention is a system which updates first software that is installed in a user computer to second software; this system comprises a distribution part and verification part described later, and uses an execution control program which performs an operation that is characteristic [of the present invention].

The distribution part is a part that distributes encoded second software and an execution control program for controlling the execution of this second software to the user computer via a communications network. The verification part is a part that performs user verification by means of a request from the execution control program installed in the user computer, and that transmits specified information that is required in order to decode and start the second software to the control execution program via the communications network in cases where it is confirmed that the user is a valid user. Furthermore, the second software is constructed so that this software can be started only by the starting information that is transferred from the execution control program, and the execution control program is constructed so that (1) the encoded second software is decoded on the basis of specified information received from the verification part, and is substituted for the first software, (2) the second software is started by creating starting information on the basis of specified information, and (3) the second software is disabled when the execution of the second software is completed.

The first software and second software are software of the same type, but of different versions. The first software may also be called old edition software, and the second software may also be called new edition software. For example, various types of application software such as games, movies, musical programs, cultural programs, educational programs, document preparation [programs], graphics preparation [programs], image editing [programs] and the like can be used as the first and second software. For example, the first software and second software differ in terms of the language used, the environment in which execution is possible (corresponding OS or the like), presence or absence of functional limitations and the like. Examples of user computers that can be used include workstations, personal computers, portable information terminals, portable telephones and the like.

Initially, the first software that has been installed in the user computer can be freely used by the user without performing the verification processing and the like described later. For example, the first software is installed in the user computer via a communications network such as the internet or the like from a software vendor site, or by means of packaged software from a retail outlet.

Next, if the user wishes to download the second software from the distribution part, the second software and an execution control program that controls the execution of the second software are transmitted to the user computer from the distribution part. The execution control program is executed in the user computer. The execution control program requests user verification from the verification part via the communications network. In regard to the method used for user verification, for example, this can be accomplished by making a comparison with a user ID, password, or data in which information that is specific to the user computer (e.g., MAC address (medial access control address) or the like) is registered beforehand. Furthermore, the system is not limited to these examples; for instance, verification can also be performed using biological information that is specific to the user, such as fingerprints, voice prints or the like.

In cases where the verification part verifies that the user is a valid user, specified information is transmitted from the verification part to the execution control program of the user computer. This specified information contains data that is required in order to decode the second software that is transmitted to the user computer in an encoded state, and in order to start the decoded second software.

Here, the second software is constructed so that this software can be started only by the starting information transferred from the execution control program. Specifically, the execution control program acts as dedicated “launcher software” that starts the second software.

Furthermore, the execution control program performs the following processing. (1) First, on the basis of specified information received from the verification part (i.e., utilizing a decoding key contained in this specified information), the execution control program decodes the second software. The decoded second software is substituted for the first software. (2) Next, on the basis of specified information received from the verification part (i.e., utilizing a starting argument contained in this specified information), the execution control program creates starting information (a starting statement consisting of a starting argument and the registry path for the decoded second software), and starts the second software by means of this starting information. As a result, the user can use the second software in the user computer. (3) Even after the second software is started, the execution control program monitors the conditions of execution of the second software, and disables the second software when the completion of the execution of the second software is detected. As a result, the user becomes unable to use the second software.

In cases where the user wishes to use [the software] again, the user must again undergo verification by the user verification part, and acquire specified information. Alternatively, the user computer may again be caused to access the distribution part, so that the user computer again downloads the second software. It is not necessary to download all of the second software again; if the system is constructed so that only the program part is downloaded again, the communications time can be shortened, so that traffic can be reduced. Furthermore, it is desirable that the specified information that is transmitted to the user computer from the verification part be encrypted.

When the execution of the second software is completed, the execution control program disables the second software. This disabling refers to a process that makes it impossible to start or execute the second software. Various methods can be used as disabling methods. For example, disabling can be accomplished by deleting all of the decoded second software. Furthermore, in cases where only a portion of the software is disabled, the second software can be restarted by receiving the deleted portion and the starting argument from the verification part. Alternatively, in cases where the second software includes a program and an accompanying data group, the second software can be disabled by deleting only the program. Furthermore, if the encoded data prior to decoding is stored, the second software can be restarted merely by receiving specified information from the verification part.

The term “accompanying data group” refers to a data group other than the program that is used in the execution of the [abovementioned] program; examples of such data include image data, voice data, musical data, text data and the like.

In a preferred embodiment, the execution control program is constructed so that this program can handle a plurality of different types of second software, and the specified information that is transmitted to the execution control program by the verification part includes storage destination address information and a starting argument for the second software that is to be started, and decoding key data for decoding the second software.

The execution control program that controls real-time on-line verification via the communications network and the starting and completion of the second software is created separately from the second software. Accordingly, numerous different types of second software can be handled merely by preparing a single type of execution control program.

In a preferred embodiment, the execution control program transmits verification information including machine information that is specific to the user computer and encrypting key into to the verification part, the verification part performs user verification on the basis of at least this machine information, and in cases where it is confirmed that the user is a valid user, the verification part encrypts the specified information with the encrypting key information and transmits this specified information to the execution control program via the communications network; furthermore, the system is constructed so that a plurality of sets of machine information can be registered in the verification part.

For example, machine information that is specific to the user computer may include MAC addresses or the like. In addition, user computer construction information (e.g., amount of memory installed, CPU specifications, sound chip and graphic accelerator product names and the like) may also be used. A plurality of types of machine information can be registered in the verification part. As a result, users who have properly purchased the second software can utilize the same second software using a plurality of user computers such as home personal computers, workplace personal computers and the like.

In a preferred embodiment, in cases where the verification part has confirmed that the user is a valid user, the verification part transmits second software list data that can be started by the user to the user computer, and transmits specified information relating to the second software selected from the list data to the execution control program via the communications network.

There may also be cases in which the user has formally purchased licenses for a plurality of different types of second software; in such cases, following user verification, the verification part transmits list data showing examples of the names or the like of second software that can be utilized by the user to the user computer. The user selects second software that he wishes to start from the list menu showing software that can be started (i.e., that can be utilized). As a result, the verification part creates specified information for decoding and starting the selected second software, and transmits this specified information to the execution control program.

In a preferred embodiment, the execution control program causes a function which acquires machine information that is specific to the user computer, a function which creates encrypting key information, a function which requests user verification from the verification part, and which transmits at least machine information and encrypting key information to the verification part, a function which allows the user to select one set of second software from the list data of startable second software that is received from the verification part, and which notifies the verification part of the selected second software, a function which receives specified information in which storage destination address information for the selected second software in the user computer, a starting argument and decoding key information are encrypted by means of at least encrypting key information, a function which decrypts the encrypted specified information using at least the encrypting information, a function which decodes the second software in the user computer by means of the decrypted decoding key information, a function which creates starting information on the basis of the decrypted starting argument and storage destination address information, a function which starts the decoded second software by means of the created starting information, and a function which monitors the conditions of execution of the started second software, and disables the second software when the execution of the second software is completed, to be realized in the user computer.

Furthermore, in a preferred embodiment, the second software contains a program and an accompanying data group, and at least one of these, i.e., the program or accompanying data group, is updated.

Here, the first software that is installed in the user computer can be executed without receiving verification by means of the verification part until this first software is replaced by the second software.

Furthermore, in a preferred embodiment, the execution control program is constructed as a program that cannot be forcibly ended separately from the second software.

Specifically, for example, [the execution control program] can be constructed so that the execution control program alone cannot be forcibly ended using a program that manages tasks in operation or the like. This is done so that monitoring by the execution control program cannot be stopped and the second software alone copied or the like. More concretely, if the execution control program is created as a device driver that does not designate hardware (since hardware is not designated, this is not strictly a device driver), since this program is constructed as a program that is closer to the OS side than an application program, or as a program that forms a part of the OS, it is difficult to forcibly end this program as in the case of an ordinary application program. In addition to driver programs, BIOS (basic input/output systems) are also known as programs that are difficult to end forcibly. However, since BIOS basically have only the function of directly transmitting and receiving data with hardware, such BIOS cannot perform a high degree of control such as decrypting encrypted data, monitoring the execution of the [abovementioned] second software or the like. Thus, for example, by constructing the execution control program as an intermediate program that is positioned between the OS and application program (second software) as in the case of a device driver, it is possible to prevent misuse while causing a high degree of processing to be performed.

In a preferred embodiment, the distribution part and verification part are realized in respectively separate computers.

For example, the distribution part that distributes the second software and execution control program can be installed for each software firm, and the verification part that performs verification at the time of starting of the second software can be installed for each country, each region or each group of software firms.

The present invention can also be grasped as the invention of a program.

Specifically, this is an execution control program which updates the first software installed in the user computer to the second software, and controls the execution of this second software, and is a software execution control program which causes a first function that communicates with an outside verification part via a communications network, and that requests user verification, a second function that creates starting information for starting the second software on the basis of specified information received from the verification part, a third function that decodes the second software on the basis of specified information received from the verification part, a fourth function that replaces the pre-updating software already installed in the user computer with the decoded second software, a fifth function that starts the second software by means of the created starting information, and a sixth function that monitors the conditions of execution of the second software, and that disables the second software when the execution of the second software is completed, to be realized in the user computer.

Furthermore, the present invention can also be grasped as a software updating method.

Specifically, this is a software updating method comprising the steps of notifying the user that the freely usable first software installed in the user computer can be updated to the second software, connecting the user computer via a communications network to a distribution computer that distributes the second software, and requesting updating to the second software, transmitting the encoded second software and an execution control program for controlling the execution of this second software from the distribution computer to the user computer via a communications network, connecting the user computer and verification computer via the communications network and requesting user verification from the verification computer by means of the execution control program started in the user computer, decoding the second software on the basis of specified information transmitted to the user computer from the verification computer in cases where the user is confirmed as a valid user by user verification, creating starting information for starting the second software on the basis of specified information received from the verification computer, starting the second software by means of the created starting information, and monitoring the execution of the second software and disabling the second software when the execution of the second software is completed.

The management computer according to another aspect of the present invention controls the operation of the execution control program by performing communications with the execution control program which is installed in the user computer together with the application software and monitoring program. Furthermore, this management computer comprises a verification part which performs user verification on the basis of requests from the execution control program, an information transmission part which transmits first information that is required for the execution control program to start the application software in cases where it is confirmed by the verification part that the user is a valid user, and a continuing execution management part which manages whether or not continuation of the execution of the application software is allowed on the basis of continuation confirmation communications performed with the execution control program at a specified time.

In one aspect of the present invention, the continuing execution management part compares first identification information acquired by continuation confirmation communications and second identification information associated beforehand with user verification, and in cases where both sets of identification information correspond, the continuing execution management part allows the execution control program to continue execution of the application software, while in cases where the respective sets of identification information do not correspond, the continuing execution management part prohibits the execution control program from continuing the execution of the application software.

In one aspect of the present invention, the continuing execution management part sets first identification information corresponding to the second identification information in the execution control program beforehand.

In one aspect of the present invention, the continuing execution management part sets a specified time in the execution control program beforehand, and when this preset specified time arrives, continuation confirmation communications are caused to take place from the execution control program to the continuing execution management part.

In one aspect of the present invention, the continuing execution management part can set the specified time in a variable manner.

In one aspect of the present invention, the continuing execution management part can set the specified time in a variable manner while taking into account at least the predicted future load conditions.

In one aspect of the present invention, the monitoring program respectively monitors the operating conditions of the application software and the execution control program, and in cases where either the application software or the execution control program stops operating, the monitoring program respectively shuts down the application software and the execution control program, and also shuts itself down; furthermore, the execution control program respectively monitors the operating conditions of the application software and the monitoring program, and in cases where the application software or monitoring program stops operating, the execution control program respectively shuts down the application software and the monitoring program, and also shuts itself down.

The computer program according to still another aspect of the present invention is a program which causes a computer to function as an execution control part that controls the execution of application software, and a monitoring part that respectively monitors the operating conditions of the application software and execution control part, the execution control part comprises a function which requests user verification by communicating with the management computer, a function which starts the application software on the basis of first information received from the management computer, a function which performs continuation confirmation communications with the management computer, and a function which shuts down the operation of the application software in cases where continuation of the execution of the application software is prohibited by the continuation confirmation communications, and the monitoring part comprises a function which respectively monitors the operating conditions of the application software and the execution control part, and a function which respectively shuts down the application software and the execution control part, and which also shuts itself down, in cases where either the application software or the execution control part stops operating.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an explanatory diagram showing an overall outline of a software execution control system constituting an embodiment of the present invention;

FIG. 2 shows the structures of the data bases and the like, with FIG. 2 (a) showing a user information data base,

FIG. 2 (b) showing a game information data base, and FIG. 2 (c) showing how encrypted starting information is embedded in the HTML header and transmitted;

FIG. 3 shows the schematic structures of programs, with FIG. 3 (a) showing a game program, and FIG. 3 (b) showing the structure of the execution control program;

FIG. 4 is an explanatory diagram showing how an old edition of a game program installed in the computer is updated to a new edition of this game program, and how the starting of this program is controlled;

FIG. 5 is a flow chart showing the processing that is performed when a game program and an execution control program are installed;

FIG. 6 is a flow chart showing the on-line verification and the like performed between the execution control program and the verification computer;

FIG. 7 is an explanatory diagram showing an overall outline of a software execution control system constituting an embodiment of the present invention;

FIG. 8 shows the structures of the data bases and the like, with FIG. 8 (a) showing a user information data base, FIG. 8 (b) showing a game information data base, and FIG. 8 (c) showing a monitoring condition data base;

FIG. 9 is a flow chart showing an outline of the overall operation of the software execution control system;

FIG. 10 is a flow chart showing an outline of the processing of the periodically performed continuation confirmation communications;

FIG. 11 is a flow chart showing an outline of the processing that determines the time at which the next continuation confirmation communications are to be performed;

FIG. 12 is a flow chart showing an outline of the processing whereby the game manager and monitoring program monitor each other; and

FIG. 13 is an explanatory diagram showing an overall outline of a software execution control system constituting still another embodiment of the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

Embodiments of the present invention will be described in detail below with reference to FIGS. 1 through 13.

First, a first embodiment will be described with reference to FIGS. 1 through 6. FIG. 1 is an explanatory diagram which shows an overall outline of the software execution control system. In the present embodiment, a system in which a game program is updated on-line will be described as an example.

The distribution computer 10 distributes a new edition of a game program 40 and an execution control program 50 to respective user computers 30 via a communications network such as the internet or the like. The distribution computer 10 can be constructed as a server which is respectively installed for each software firm (vendor).

First, for a new edition program registered in the game program data base 12, the distribution computer 10 performs registration in the verification computer 20 in advance (S1).

For example, data such as the name, type, retail price, data size, version information and the like for a new edition game program is registered in the verification computer 20 from the distribution computer 10. Of course, in cases where the distribution computer 10 and verification computer 20 are constructed as an integral unit, such notification via an external network is not absolutely necessary.

When the distribution control part 11 of the distribution computer 10 receives a program updating request from the user computer 30, this distribution control part 11 reads out the game program 40 desired by the user from the game program data base 12, and distributes this program to the user computer 30 (S2). Here, it should be noted that the new edition of the game program 40 is not distributed to the user computer 30 alone, but is rather distributed to the user computer 30 together with the execution control program 50 that manages the starting, deletion and the like of the game program 40.

For example, the verification computer 20 can be constructed as a server that is respectively installed for each group or organization to which the software firm belongs. Furthermore, the present invention is not limited to this; verification computers 20 may also be installed for each software firm. The verification computer 20 comprises a verification part 21, a fee processing part 22, a starting information transmission part 23, a user information data base 24, and a game information data base 25.

The verification part 21 is a part which performs user verification on the basis of specified verification data transmitted from the execution control program 50 of the user computer 30. Details will be described later; however, the user verification data includes user identification information (a user ID), a password (PW), a MAC address (media access control address) and the like.

The fee processing part 22 is a part which charges the user a fee when permission to use the updated game program 40 is given. Various methods may be used as the method of levying a fee. For example, the user may be asked to pay a fee for the game program at one time (purchase of the program), or the user may pay a fee each time that he uses the program. Alternatively, the system may be devised so that a fee is charge at a specified period or for a specified number of times [of use]. Furthermore, various payment methods such as payment by credit card, payment by electronic money order or the like may be used.

The starting information transmission part 23 transmits starting information that is necessary in order to decode and start the new edition of the game program 40 stored in a storage device (e.g., hard disk or the like) of the user computer 30 to the execution control program 50 of the user computer 30.

The user undergoes verification with the verification part 21 of the verification computer 20 via the execution control program 50, and in cases where it is verified that the user is a valid user who has paid the purchase price (or use fee) of the game program 40 (S3), the starting information is transmitted to the execution control program 50 from the starting information transmission part 23 (S4). In cases where a user who has not yet paid the fee for the game program 40 accesses the verification computer 20, the starting information is transmitted to the execution control program 50 after fee processing is performed via the fee processing part 22.

Now turning our attention to the construction of the user computer 30, this user computer 30 is constructed (for example) as a computer such as a personal computer, workstation, portable information terminal, portable telephone or the like. The user computer 30 comprises (as necessary) computer resources such as a calculation processing unit (CPU), main memory, auxiliary memory, external input-output circuit and the like, and these respective resources are appropriately used by the game program 40 and execution control program 50.

The new edition of the game program 40 and the execution control program 50 that are transmitted to the user computer 30 from the distribution computer 10 are installed in the user computer 30 by an accessory installer (as will be described later). Furthermore, the execution control program 50 performs user verification with the verification computer 20, and when the starting information is input, the game program 40 is started (S5). Furthermore, since the old edition of the game program that was already installed in the user computer prior to the installation of the new edition of the game program 40 is replaced by the new edition of the program, the old edition of the game program 40 cannot subsequently be used.

The user can utilize the new edition of the game program 40 via the user computer 30. Furthermore, when the user finishes the game and completes the game program 40, the execution control program 50 disable the game program 40 by deleting the game program 40 or the like (S6). In cases where the user again utilizes the game program 40, the user again accesses the verification computer 20, undergoes user verification, and acquires starting information.

Here, since the new edition of the game program 40 is stored as an encrypted file prior to decoding in the storage device of the user computer 30, in cases where the game program 40 is to be reused, it is necessary merely to acquire information that is used for the decoding of this encrypted file (i.e., a decoding key) and information that is used for the starting [of the program] from the verification computer.

Specifically, in the present embodiment, the new edition of the game program 40 is stored as an encrypted file on the local disk of the user computer 30, and each time that the game is played, on-line verification is performed with the verification computer 20, and the encrypted game program 40 is decoded and started. Then, after the game is finished, the decoded game program 40 is disabled by being deleted.

Next, FIG. 2 is an explanatory diagram showing examples of construction of the user information data base 24 and game information data base 25 used by the verification computer 20. Furthermore, the contents of the respective data bases 24 and 25 shown in FIG. 2 are merely examples; it is not necessary that all of the items shown in the figure be provided.

For example, the user information data base 24 shown in FIG. 2 (a) is constructed by respectively associating the user ID, password, a plurality of MAC addresses 1 through n, game IDs 1 through n that specify the purchased game programs, and other information. Here, the reason that the system is devised so that a plurality of MAC addresses 1 through n can be registered is that cases in which a single user uses a game program 40 by using a plurality of different user computers 30 are also taken into account. Accordingly, for example, the user can utilize the game program 40 via different information processing terminals such as a workplace computer, home computer and the like. Examples of other information that can be used include the user's name, age and address, the number of times that the game is played, the number of points scored (e.g., in cases where points are awarded in accordance with the game purchase price, number of times played or the like) and the like.

Furthermore, for example, the game information data base 25 shown in FIG. 2 (b) is constructed by associating the game ID, name of the game, game information (information indicating the registry path of the game program), decoding key that is used to decode the encrypted game program 40, starting argument that is used to start the decoded game program 40, and other information. Examples of other information that can be used include the type of the game (role playing game, combat game, presence or absence of designation for adults or the like), data size, copyright management information and the like.

As is shown in FIG. 2 (c), the game information, decoding key and starting argument are embedded in encrypted HTML (hyper text markup language) data, and are transmitted to the user computer 30. Specifically, the starting information (game information, decoding key, starting argument) is encrypted by means of an encrypting key and MAC address created on the side of the user computer 30, and is embedded in (for example) the HTML header part. Accordingly, in response to an HTTP (hyper text transport protocol) request from the user computer 30, the verification server 20 creates encrypted starting information, and returns an HTTP response containing this encrypted starting information to the user computer 30.

Next, FIG. 3 is an explanatory diagram which shows the schematic construction of the game program 40 and the execution control program 50.

As is shown in FIG. 3 (a), the game program 40 includes a program proper 41 and an accompanying data group 42. Examples of data in the data accompanying group 42 include movie data, still image data, graphics data, musical data, voice data, text data and the like.

In the new edition of the game program 40, compared to the old edition of the program, either the program [proper] 41 or the accompanying data group 42, or both, are newly created. In cases where both the program proper 41 and the accompanying data group 42 are newer than in the old edition, both the program proper 41 and accompanying data group 42 are replaced by new editions. In cases where only the accompanying data group 42 is new or in cases where only the program proper 41 is new, either the accompanying data group 42 or the program proper 41 is replaced by a new edition.

As is shown in FIG. 3 (b), the execution control program 50 causes the respective functions of an encryption information producing part 51, a verification request part 52, a game selection part 53, a decryption part 54, a starting part 55, a decoding part 56 and an execution monitoring part 57 to be realized in the user computer 30. As one example, the execution control program 50 is constructed as a device driver that specifies the device. Accordingly, for example, the execution control program 50 differs from application programs such as game programs or the like in that this execution control program can be constructed so that this program cannot be ended from a task management program or the like.

For example, besides creating an encrypting key on the basis of time information acquired from an internal timer in the user computer 30, the encryption information producing part 51 acquires MAC addresses and the like of the user computer 30.

The verification request part 52 internally calls up the network access function mounted in the user computer 30, accesses the verification computer 20, transmits the encrypting key, MAC address, user ID and password to the verification computer 20, and requests user verification.

The game selection part 53 allows the user to selected desired games from a list menu that is transmitted to the user computer 30 from the verification computer 20 after user verification is completed. This list menu displays the game programs that can be utilized (started) by the user in a list format, and can be created on the basis of purchased game IDs in the user information data base 24.

The starting information that is used to start the game program 40 selected by the user in accordance with the MAC address and the encrypting key created by the encryption information producing part 51 is encrypted and transmitted to the user computer 30. The decryption part 54 decrypts the encrypted starting information on the basis of the encrypting key and MAC address.

The decoding part 56 decodes the encrypted game program 40 by means of the decrypted decoding key. Furthermore, the encrypted file is stored “as is”. The starting part 55 creates a starting statement and starts the decoded game program 40 on the basis of the decrypted game information and starting argument. The starting statement is constructed from the registry path and starting argument of the game program.

When the game program 40 is started, the execution monitoring part 57 monitors the conditions of execution of the game program 40, and when the game program 40 ends, the decoded program proper 41 is deleted. Furthermore, the decoded accompanying data group may also be deleted along with [the game program proper 41]. Furthermore, when this deletion is performed, all of the program or data may be deleted, or a portion of the program and data may be deleted.

Next, FIG. 4 is an explanatory diagram which shows in model form how the game program is updated to the most recent edition by the present system.

First, as is shown in FIG. 4 (a), the old edition of the game program has already been installed in the user computer 30. Moreover, in the figures, the old edition of the game program prior to upgrading of the version is indicated as the “initial program”, and the new edition of the game program whose version is upgraded is indicated as the “updated edition of the program”.

For example, the user installs the old edition of the game program 40A which is fixed on a storage medium such as a CD-ROM, DVD-ROM, memory or the like in the user computer 30, and utilizes this program (S11). Alternatively, the user may also acquire the old edition of the game program 40A via a communications network such as the internet or the like. This old edition of the game program 40A can be used without undergoing on-line verification with the verification computer 20. However, once updating has been performed by the present updating system, utilization is impossible without undergoing on-line verification even in cases where the updated edition of the program is the old system.

The user utilizing the old edition of the game program 40A is notified that updating to the new edition of the game program 40 is possible. This notification can be performed by various methods.

For example, the first method is a method in which the user is informed, either actively or passively, that the old edition of the game program 40A can be updated to the new edition of the game program 40, and at the same time, the URL (uniform resource locator) of the distribution computer 10 is displayed. As active notification, for example, it is conceivable that the fact that updating is possible might be displayed on the screen along with the URL at the time that the game is started or at the time that the game is ended. As passive notification, for example, it is conceivable that the fact that updating is possible might be displayed along with the URL of the distribution computer in the help menu for the old edition of the game program. In either case, a system that is convenient for the user can be obtained by constructing the system so that the web browser 31 is started and the user computer 30 is automatically caused to access the distribution computer merely by clicking on the URL.

The second method is a method in which the user is notified either actively or passively of the fact that updating to the new edition of the game program is possible, along with the URL of the distribution computer 10, via an electronic medium. For instance, an email that is addressed to the user can be cited as an example of active notification. Furthermore, for instance, advertising of the new edition of the game program 40 by means of a web site (for example, the distribution computer 10 or the like) is conceivable as an example of passive notification.

In addition, advertising via a paper medium such as a game magazine, computer magazine or the like, or advertising to the community as in a game program fan society formed on network, is conceivable as a third method.

Thus, the user can be notified of the existence of the new edition of the game program 40. As is shown in FIG. 4 (b), a user who desires updating accesses the distribution computer 10 via the web browser 31, and requests updating to the new edition of the game program 40 (S12).

As is shown in FIG. 4 (c), the distribution computer 10 transmits the new edition of the game program 40 (including the accompanying data group as well) desired by the user to the user computer 30 via the communications network (S13). Furthermore, the execution control program 50 is also formed into a set together with the new edition of the game program 40, and is transmitted to the user computer 30 (S13). The new edition of the game program 40 and the execution control program 50 are stored in the storage device of the user computer 30.

A dedicated installer is attached as an accessory to the new edition of the game program 40 and the execution control program 50. The new edition of the game program 40 and the execution control program 50 are installed in the user computer 30 by means of this installer. When the execution control program is started, as is shown in FIG. 4 (d), the execution control program 50 calls up a network access function, accesses the verification computer 20, and performs user verification and purchase processing (fee processing) with the verification computer 20 (S14). After this user verification and fee processing are completed, the verification computer 20 transmits encrypted starting information to the execution control program 50 of the user computer 30 (S15).

The execution control program 50 decrypts the encrypted starting information, and extracts the decoding key, starting argument and the like. Then, the execution control program 50 decodes and starts the game program 40. The conditions of execution of the game program 40 are monitored by the execution control program 50.

As is shown in FIG. 4 (e), when the user finishes playing the game, and the game program 40 ends, the execution control program 50 disables the new edition of the game program 40 by deleting this program (S16).

As one example, only the new edition of the game program 40 that has been decoded and placed in a state that allows execution (a state that allows starting by the input of the starting statement); here, the encrypted file (prior to decoding) that is acquired from the distribution computer 10 can be stored “as is” in the storage device of the user computer 30.

As a result, in cases where the user wishes to play the game program 40 again, the user need merely access the verification computer 20, undergo on-line user verification, and again acquire starting information from the verification computer 20 (S17). Since there is no need to re-acquire the encrypted game program 40 from the distribution computer 10, the trouble of downloading can be avoided, and the burden on the communications network can be reduced.

A method in which only the starting information of the game program 40 is thus re-acquired in cases where the game program 40 is to be played again is convenient. However, the present invention is not limited to such a method; it would also be possible to devise the system so that the encrypted program prior to decoding is re-acquired from the distribution computer 10. Furthermore, it would also be possible to delete only the decoded program proper 41, and to leave the accompanying data group 42 “as is”.

Next, details of the processing of the present system will be described with reference to FIGS. 5 and 6. The flow charts shown in the figures indicate the rough flow of the processing, and differ from the actual programs.

FIG. 5 shows the processing used for the installation of the installation of the new edition of the game program 40 and execution control program 50 stored in the storage device of the user computer 30 and the like.

The game program 40 and execution control program 50 are stored in the user computer 30 in the form of encrypted files. For example, the installer starts when the user causes the occurrence of a starting event, as by selecting an encrypted file with the mouse pointer and double-clicking on this file or the like (S21).

The installer judges whether or not the old edition of the game program 40A that is to be updated has already been installed in the user computer 30 (S22). In cases where the old edition of the game program 40A has not been installed, for example, a warning message such as “OLD EDITION OF GAME HAS NOT BEEN INSTALLED. PROCESSING WILL BE ENDED.” or the like is displayed on the screen, and the processing is ended (S23).

In cases where the old edition of the gram program 40A has been installed in the user computer (S22: YES), a judgment is made as to whether or not the new edition of the game program 40 and the execution control program 50 are to be newly installed (S24). In cases where the new edition of the game program 40 and the execution control program 50 have been installed in the past, the view may be taken that user registration and fee processing have already been completed. Accordingly, as a result, it is judged in S24 whether or not user registration and fee processing have already been completed.

In the case of installation for the first time, the function of the web browser 31 is called up and connected to the verification computer 20, and the user is caused to perform user registration and fee processing (S25, S26).

Next, the installer ascertains the registry of the execution control program 50, and in cases where the execution control program 50 has not yet been installed, the installer installs the execution control program 50 (S27). In order to rewrite the old edition of the game program 40A as the new edition of the game program 40, the installer rewrites the old editions of the program proper 41 and accompanying data group 42 as the new editions of the program proper 41 and accompanying data group 42 (S28, S29). Then, the installer starts the execution control program 50 and ends the processing (S30).

FIG. 6 is a flow chart showing the execution control processing performed by the execution control program 50, the processing of the verification computer 20 and the like.

The started execution control program 50 acquires machine information that is specific to the user computer 30 (in concrete terms, the MAC address) (S41). Furthermore, the execution control program 50 acquires current time information from an internal timer in the user computer 30, and creates an encrypting key on the basis of this time information (S42).

Next, the execution control program 50 calls up the function of the web browser 31 (S43), makes a connection with the verification computer 20 via the communications network, and requests log-in verification from the verification computer 20 (S44). The execution control program 50 transmits the user ID, password, MAC address and encrypting key to the verification computer 20 (S44). The verification computer 20 refers to the user information data base 24, and judges whether or not the user is a valid user (S61).

In cases where it is confirmed that the user is a valid user, the verification computer 20 creates list data listing the game programs that can be utilized by the user, and transmits this data to the user computer 30 (S62). Typically, game programs that have been purchased by the user may be cited as examples of game programs that can be utilized by the user. However, utilizable programs are not limited to such purchased programs; for example, game programs that are provided free of charge by software firms may also be included in such utilizable game programs.

When the execution control program 50 receives the list data of utilizable game programs from the verification computer 20, the execution control program 50 causes a list of games to be displayed on the monitor display of the user computer 30 (S45). The user selects the game that he wishes to play on the basis of this list menu (S46).

The verification computer 20 refers to the game information data base 25, creates starting information that is required in order to start the game program selected by the user, and encrypts this starting information by means of the encrypting key, MAC address and the like acquired in S61 (S63). The verification computer 20 transmits the encrypted starting information to the execution control program 50 of the user computer 30 (S64).

When the execution control program 50 receives the encrypted starting information from the verification computer 20 (S47), the execution control program 50 decrypts this encrypted starting information by means of the encrypting key and the MAC address (S48).

Next, the execution control program 50 acquires registry information for the new edition of the game program 40 (S49), and creates a starting statement by means of the registry path and starting argument (S50).

Furthermore, the execution control program 50 decodes the encrypted new edition of the game program 40 by means of the decoding key extracted from the starting information, and develops this into a specified directory of a specified drive (S51). As a result, the game program 40 is decoded and placed in a state waiting for starting.

Then, the execution control program 50 starts the decoded new edition of the game program 40 by means of the starting statement created in S50 (S52, S70). As a result, the user can play the new edition of the game program 40 (S71).

The execution control program 50 monitors the conditions of execution of the game program 40 (S53), and when the user finishes the game and ends the game program 40 (S72), the execution control program 50 disables the game program 40 by deleting the decoded program proper 41, and ends the processing (S54).

Furthermore, in cases where the user again desires to play using the game program 40, the user need merely access the verification computer 20 again, undergo on-line verification, and acquire starting information.

In the present embodiment constructed as described above, illegal use in which the use right is not purchased can be prevented even in the case of the distribution of downloading type software in which a program is stored in the user computer 30.

Specifically, in the present embodiment, in order to start the game program 40, it is necessary to perform on-line verification via the execution control program 50, and to obtain driving information from the verification computer 20 via the communications network, each time that the game program 40 is used. Accordingly, even if the game program 40 alone is illegally copied by itself, this illegally copied game program cannot be started by itself.

Furthermore, the execution control program. 50 is constructed as a program that is close to the OS side, as in a device driver, and therefore cannot be closed by ordinary methods as in the case of a device driver. Accordingly, the system is devised so that the execution control program 50 and gram program 40 cannot be separated and the game program 40 alone illegally copied or taken out.

The present invention can be used in various types of businesses. For example, by updating the old editions of game programs that were illegally copied and circulated in the past, it is possible to force illegal users to acquire use rights in a formal manner, thus converting such users into valid users. In order to cause illegal users to switch to new editions of game programs, it would be possible to stimulate the desire of such users to update by preparing accompanying data groups (game scenarios, music or the like) corresponding the users' native languages, or by newly preparing additional scenarios or the like.

Next, another embodiment will be described with reference to FIGS. 7 through 12. In the present embodiment, a case in which a game program is fixed to a storage medium and circulated will be described as an example. In the present embodiment, the description given in the above mentioned embodiment can be appropriately applied as long as this description does not restrict the scope of the present invention. In the present embodiment as in the above mentioned embodiment, the execution of the game program is controlled by means of an execution control program (game manager in the present embodiment) as will be described later. In addition, in the present embodiment, on-line verification between the verification computer (DRM computer in the present embodiment) and the execution control program can be performed periodically.

FIG. 7 is an explanatory diagram which shows an overall outline of the software execution control system of the present embodiment. For example, as will be respectively described later, the present system can be constructed so that this system includes a supplier computer 100, a DRM [conversion] computer 200, and a user computer 300.

For instance, the supplier computer 100 is used by a software vendor who produces program products. The supplier computer 100 comprises a DRM part 110 that processes the game program 400 and converts this program into a DRM program 700. Here, “DRM” is an abbreviation for “digital rights management”, and refers to the management of rights to the digitized contents [of programs] such as game programs or the like. In the present specification, “DRM conversion” refers to a process whereby resistance to improper use and the like is improved by setting individual protection (described later) for non-protected game programs.

The DRM part 110 sets individual protection for the game program 400 by adding a game manager 500 and a monitoring program 600 to the game program 400. The protected game program 400 is taken as a DRM-converted program 700, and is recorded on a recording medium RM and circulated on the market. The game manager 500 and monitoring program 600 will be further described later.

Various types of media such as CD-ROMs, DVD-ROMs, optical disks, hard disks, flexible disks, semiconductor memories, magnetic tapes and the like can be appropriately used as the recording medium RM. The DRM-converted program 700 may be compressed and recorded on the recording medium RM, or the DRM-converted program 700 may be recorded on the recording medium RM without being compressed. Furthermore, the installer that is used to install the DRM-converted program 700 in the user computer 300 can also be stored on the recording medium RM.

The DRM conversion computer 200 is one example of a “management computer”. For example, the DRM computer 200 can also be called a “verification management server”. A DRM conversion computer 200 may be provided for each software vendor, or a single DRM conversion computer 200 may be provided for a plurality of software vendors.

The DRM [conversion] computer 200 transmits user verification and starting information, and manages the continued execution, by performing communications with the game manager 500 that operates in the user computer 300. The DRM [conversion] computer 200 comprises a verification part 210, an operating information transmission part 220, and a continued-execution management part 230.

Furthermore, the DRM [conversion] computer 200 can utilize the user information data base 240, game information data base 250, and monitoring condition data base 260. Moreover, the DRM [conversion] computer 200 need not be physically constructed from a single computer; this computer may also be realized by the cooperative operation of a plurality of computers.

Like the verification part 21 of the above mentioned embodiment, the verification part 210 performs user verification on the basis of verification data that is transmitted from the game manager 500 such as (for example) the user ID and password (shown as “PW” in the figures). Furthermore, like the starting information transmission part 23 in the abovementioned embodiment, the starting information transmission part 220 transmits to the game manager 500 (for example) information that is required for the game manager 500 to decode the game program 400 and place this game program 400 in a state that allows starting.

The continued-execution management part 230 manages whether or not the execution of the game program 400 is continued by performing communications with the game manager 500 at specified times. Details will be further described later; however, the continued-execution management part 230 compares a session ID that is transmitted from the game manager 500 with a session ID that is stored beforehand, and allows continuation of the execution of the game program 400 in cases where both IDs agree. Conversely, in cases where the two session IDs do not agree, the continued execution processing 230 instructs the game manager 500 to forcibly end the game program 400.

Like the user computer 3 of the abovementioned embodiment, the user computer 300 can be constructed as a personal computer, portable information terminal or portable telephone. The user computer 300 may comprise hardware resources and software resources as required, such as a CPU, memory, auxiliary storage device, OS, various types of device drivers and the like. The game program 400, game manager 500 and monitoring program 600 can appropriately utilize hardware resources and software resources of the user computer 300.

The game program 400, game manager 500 and monitoring program 600 are respectively performed in the user computer 300 by reading the stored contents of the recording medium RM into the user computer 300 and performing specified installation processing. For a user with proper authorization, the game manager 500 acts as a launcher program for starting the game program 400. However, the game manager 500 is not a simple launcher program, but controls the operation of the game program 400. Furthermore, the game manager 500 respectively monitors the operating conditions of the game program 400 and monitoring program 600, and in cases where either of the objects of monitoring ceases operation, the game manager 500 shuts down the operation of the other object of monitoring, and shuts down its own operation.

The monitoring program 600 respectively monitors the operating conditions of the game program 400 and the game manager 500, and in cases where either of these objects of monitoring ceases to operate, the monitoring program 600 shuts down the operation of the other object of monitoring, and shuts down its own operation. A valid user can use the game program 400 without being aware of the existence of the monitoring program 600.

FIG. 8 is an explanatory diagram showing one example of the respective data bases 240 through 260. As is shown in FIG. 8 (a), for example, the user information data base 240 can associated and manage the user ID, password, MAC address, session ID and other information. As will be described later, the session ID is information that is used to judge whether or not continued execution is permitted. Specifically, in order to prevent the game program 400 from being improperly performed using a user computer that is separate from the user computer 300 that was initially verified, the game manager 500 and DRM [conversion] computer 200 periodically perform communications. In this case, the session ID that is received from the game manager 500 is compared with the session ID that is registered in the user information data base 240, and continuation of the execution of the game program 400 is permitted only when these session IDs agree. Furthermore, as in the case of the user information data base 24 shown in FIG. 2 (a), a plurality of MAC addresses may be associated with a single user ID.

As is shown in FIG. 8 (b), the game information data base 250 can be managed by (for example) associating game IDs, game names, game information, decoding keys (activating keys), starting arguments and reporting modes. Here, the term “reporting mode” refers to information that sets the policy relating to periodic reporting to the DRM [conversion] computer from the game manager 500. For example, the reporting mode can be set by the provider (software vendor) of the game program 400.

Here, examples of reporting modes that can be used include a mode in which a report is made to the DRM [conversion] computer 200 only when the game program 400 is initially started, a mode in which a report is made to the DRM [conversion] computer 200 each time that the game program 400 is started, a mode in which a report is made to the DRM [conversion] computer 200 at as short a period as possible with priority given to the monitoring efficiency, and a mode in which a report is made to the DRM [conversion] computer 200 at a low frequency with consideration given to reducing the burden on the DRM [conversion] computer 200.

As is shown in FIG. 8 (c), the monitoring condition data base can be managed by associating (for example) the user IDs of the respective users executing the game program 400, the reporting periods from the respective user computers 300, the next reporting time, the game IDs of the game programs 400 executed by the respective users, and the game starting times. As will be described later, the next reporting time is actively controlled on the basis of the burden conditions, reporting mode and the like of the DRM [conversion] computer 200.

Next, the operation of this system will be described with reference to FIGS. 9 through 12. First, FIG. 9 is a flow chart showing an outline of the operation that is performed when this system is started.

For example, the user desiring to utilize a game program 400 selects the game icon representing the desired game program 400, and gives instructions to start [this game program 400]. When the operation performed by this user is detected, the game manager 500 first starts (S101).

The game manager 500 acquires the MAC address which is one example of machine information that is specific to the user computer 300 (S102), and transmits this MAC address to the DRM [conversion] computer 200 via the communications network CN (S103).

The DRM [conversion] computer 200 registers the MAC address received from the game manager 500 in the user information data base 240 (S121, S122). At this point in time, only the MAC address has been ascertained; there is no association with the user ID or the like. Furthermore, it would also be possible to hold the MAC address in memory without registering this address in the user information data base 240, and then to register the MAC address in the user information data base 240 together with the user ID, session ID or the like in cases where user verification is successful.

The DRM [conversion] computer 200 issues a session ID, and further sets the reporting period. An initial value that is set beforehand can be used as the initially set reporting period. Then, the DRM [conversion] computer 200 notifies the game manager 500 of the session ID and initial reporting period (S123).

When the game manager 500 receives the session ID and reporting period (S104), the game manager 500 stores and holds these sets of information in the memory of the user computer 300. Next, the game manager 500 judges whether or not the user ID and password have been input (S105). For example, the user can be prompted to input such a user ID and password by displaying a screen that requests the input of this user ID and password when the user selects a game icon.

When the game manager 500 recognizes the input of a user ID and password (S105: YES), the game manager 500 transmits the input user ID and password, and the game ID of the game program 400 that the user wishes to execute, to the DRM [conversion] computer 200 (S106).

When the DRM [conversion] computer 200 receives the user ID, password and game ID from the game manager 500 (S124), the DRM [conversion] computer 200 refers to the user information data base 240, and performs user verification (S125). In cases where the user ID and password registered beforehand agree with the user ID and password received from the game manager 500 (S125: YES), user verification is successful. The DRM [conversion] computer 200 registers the user ID, password, MAC address and the like in association with each other in the user information data base 240 (S127). Conversely, in cases where either the user IDs or the passwords do not agree (S125: NO), user verification fails, and error processing is performed (S126). Conceivable error processing includes the display of a message such as “ID OR PASSWORD IS DIFFERENT” on the screen of the user computer 300. Furthermore, for example, in cases where user verification fails a specified number of times or more, the starting of the game program 400 can be locked. Moreover, user verification information is not limited to the user ID and password; for example, biological information such as voice, fingerprints, iris images or the like can also be used.

As a result of the success of user verification, the DRM [conversion] computer 200 determines that the game program 400 desired by the user can be executed (S128). The DRM [conversion] computer 200 creates and encrypts information that is used to allow the game manager 500 to start the game program 400 whose execution is permitted (S129). Examples of such game starting information include execution information such as file names or the like, activating keys and the like. For example, the DRM [conversion] computer 200 encrypts such execution information and activating keys using the session ID and user information (MAC addresses or the like), and transmits this encrypted information to the game manager 500 (S130).

When the game manager 500 receives encrypted information from the DRM [conversion] computer 200 (S107), the game manager 500 decrypts the encrypted information (S108), and acquires the activating key and execution information (S109). The encryption algorithm used by the DRM [conversion] computer 200 is known to the game manager 500, and the information required for decryption is also present on the side of the user computer 300; accordingly, the encrypted information can be decrypted.

The game manager 500 decodes the game program 400 by means of the acquired activating key, and stores this decoded game program 400 in the memory of the user computer 300 (S110).

Specifically, in cases where the game program 400 is installed in the user computer 300, the game program, for example, is recorded in an encoded state in the auxiliary storage device of the user computer 300. In this encoded state, the game program 400 cannot be started. The game program 400 can be started at the point in time at which the game manager 500 has acquired the activating key from the DRM [conversion] computer 200, decoded the game program 400, and stored this game program in the memory of the user computer 300. Here, it should be noted that the decoded game program 400 (program that is to be executed) is not stored as a file, but is present only in the memory. Since programs in the memory are deleted at the time that the game program 400 is completed, it is necessary to acquire user verification and an activating key again via the game manager 500 in cases where the game is to be played again.

Furthermore, the game manager 500 starts the game program 400 placed in the memory of the user computer 300 on the basis of the execution information (S111). As a result, the user can execute and play the game program 400. Furthermore, at the same time that the game program 400 is started (this need not be simultaneous in a strict physical sense), the game manager 500 also starts the monitoring program 600 (S112). The operation of the monitoring program 600 will be further described later.

Next, the processing for controlling the continuation of the execution of the game program 400 will be described with reference to FIG. 10.

The game manager 500 refers to the reporting period that is set by the DRM [conversion] computer 200 at the time of starting (S141). By utilizing a timer function or the like of the user computer 300, the game manager 500 judges whether or not the reporting time preset by the DRM [conversion] computer 200 has arrived (S142).

In cases where the reporting time has arrived (S142: YES), the game manager 500 reads out the session ID set by the DRM [conversion] computer 200 from the memory of the user computer 300 (S143), and transmits this read-out session ID to the DRM [conversion] computer 200 (S144).

When the DRM [conversion] computer 200 receives the session ID from the game manager 500 (S161), the DRM [conversion] computer 200 refers to the user information data base 240. The DRM [conversion] computer 200 compares the issued session ID registered in the user information data base 240 with the session ID received from the game manager 500, and judges whether or not the two IDs agree (S163). Furthermore, the game manager 500 may transmit only the session ID to the DRM [conversion] computer 200, or may include all or part of the user information such as the user ID and the like in addition to the session ID. Furthermore, environmental information relating to the user computer 300 (CPU utilization rate, amount of memory consumption or the like) may also be included. However, as the amount of information added to the session ID increases, the burden on the user computer 300 also increases, as does the network traffic.

In cases where the session ID received from the game manager 500 does not agree with the session ID registered beforehand (S163: NO), the DRM [conversion] computer 200 (continued-execution management part 230) notifies the game manager 500 that continuation of the execution of the game program 400 is prohibited (S164). Cases in which the two session IDs do not agree are cases in which the game program 400 is executed using a different user computer or the like, i.e., cases in which the same game program 400 is started a plurality of times using one user ID. Accordingly, in cases where the two session IDs do not agree, the game manager 500 is instructed to end the game program 400 forcibly.

In cases where the session ID received from the game manager 500 agrees with the session ID registered beforehand (S163: YES), the DRM [conversion] computer 200 calculates a new reporting period, i.e., the next reporting time (S165). The calculation of this new reporting period will be further described later; however, this is determined with the load conditions of the DRM [conversion] computer 200 and the like being taken into account.

In cases where both session IDs agree, the DRM [conversion] computer 200 notifies the game manager 500 of the newly calculated reporting period and the permission to continue execution (S166).

The game manager 500 receives a response from the DRM [conversion] computer 200 regarding the possibility of continuing execution (S145). In cases where continuation of the execution of the game program 400 is permitted (S146: YES), the newly set reporting period is stored in the memory of the user computer 300, and the processing returns to S141 and waits for the arrival of the reporting time.

Conversely, in cases where the continuation of execution is prohibited by the DRM [conversion] computer 200 (S146: NO), the fm 500 forcibly ends the game program 400 that is in execution (S147). Furthermore, after ending the monitoring program 600 (S148), the game manager 500 also shuts itself down (S149).

Thus, the game manager 500 periodically performs a simple verification with the DRM [conversion] computer 200. As a result, for example, improper utilization in which a plurality of game programs 400 are started using the same user ID and password can be prevented.

FIG. 11 is a flow chart showing the setting processing of the reporting period. This is one example of the concrete realization of the contents of S165 in FIG. 10. The DRM [conversion] computer 200 (more specifically, the continued-execution management part 230) refers to the point in time at which the session ID is received from the game manager 500 (S181). Next, the game manager 500 refers to the reporting period that is associated with the reception of this session ID (S182).

The game manager 500 calculates the deviation between the point in time at which the session ID is received and the preset reporting period. For example, in cases where the point in time of actual [session ID] reception is later than the planned point in time of session ID reception, possible causes of this include delay of packet arrival due to complexity of the communications network CN, a drop in the response performance due to an increase in the burden on the DRM [conversion] computer 200 and the like.

The DRM [conversion] computer 200 detects its own current load conditions (S184). Examples of such load conditions include the number of users currently playing, i.e., the number of game managers that are to be subjected to periodic verification processing on-line and the like. In addition to this, for example, the CPU utilization rate, amount of memory consumption, data input-output processing rate (I/O rate) and the like may also be detected.

The DRM [conversion] computer 200 predicts future load conditions on the basis of the current load conditions (S185). Specifically, in cases where the reporting period of the game manager 500 is maintained at the current value, the load conditions of the DRM [conversion] computer 200 at the next reporting time are predicted. In concrete terms, for example, in a case where the current reporting period is set at “1 hour”, the number of users (number of game managers) undergoing on-line verification after 1 hour has elapsed from the current point in time can be grasped by means of the monitoring condition data base 260.

Next, the DRM [conversion] computer 200 refers to the reporting mode that is set beforehand for the game program 400 in execution (S186). The reporting mode associated with the game program 400 can be altered even after the recording medium RM is circulated [on the market]. For example, the DRM [conversion] computer 200 can be notified of the game ID and new reporting mode by the supplier computer 100, and alteration of the game information data base 250 can be requested.

Finally, for example, the DRM [conversion] computer 200 calculates the new reporting period on the basis of the reporting mode, amount of time deviation between the planned point in time of the session ID reception and actual point in time of this reception, and future predicted load conditions so that the monitoring efficiency is maximized (S187).

For example, when a newly created popular game program is first placed on the market, the number of users of this game program increases abruptly. Accordingly, the burden on the DRM [conversion] computer 200 which performs a simple periodic verification on-line shows an increase. Security against improper use is improved as the reporting period is set as a shorter period; on the other hand, however, the burden on the DRM [conversion] computer 200 is also increased. If the reporting period is set as too short a period because of the emphasis on security, the response characteristics of the DRM [conversion] computer 200 deteriorate, and there is a possibility that this will lead to a shutdown of the function. Accordingly, in cases where there is a temporary increase in the load, as in the initial marketing of a newly created popular game or the like, the system is controlled so that the reporting period is lengthened.

Thus, for example, in the case of monitoring priority mode, the DRM [conversion] computer 200 can set the reporting period (monitoring timing) so that maximum security can be obtained within limits that do not cause a shutdown of the function. On the other hand, in the case of load reduction mode, the DRM [conversion] computer 200 can set the reporting period at a period that makes it possible to maintain [at least] minimum security.

The above is one example; various algorithms can be introduced for the prediction of the load conditions, setting of the reporting period and the like.

Next, FIG. 12 is a flow chart which shows the mutual monitoring processing performed by the game manager 500 and monitoring program 600. In this embodiment, the game manager 500 and monitoring program 600 respectively monitor the operating conditions of the game program 400 as a shared object of monitoring; in addition, these parts also periodically monitor each other as objects of monitoring. If periodic on-line verification between the DRM [conversion] computer 200 and game manager 500 is taken as monitoring from the outside, then the mutual monitoring of the game manager 500 and monitoring program 600 can be positioned as internal monitoring.

To describe the monitoring processing of the game manager 500 first, the game manager 500 judges whether or not the preset monitoring time has arrived (S201). It is desirable to set the monitoring time with a relatively short period. When the monitoring time arrives (S201: YES), the game manager 500 checks the operating conditions of the monitoring program 600 (S203), and judges whether or not the monitoring program 600 is operating normally (S203).

In cases where the monitoring program 600 is operating normally (S203: YES), the game manager 500 next checks the operating conditions of the game program 400 (S204), and judges whether or not the game program 400 is operating normally (S205). In cases where the game program 400 is also operating normally (S205: YES), the game manager 500 waits until the next monitoring time arrives (S201).

On the other hand, in cases where the monitoring program 600 has stopped operating (S203: NO), or in cases where the game program 400 has stopped operating (S205: NO), the game manager 500 shifts to forcible stop processing (S206 through S208).

Specifically, after the game manager 500 stops the operation of both the game program 400 and the monitoring program 600 (S206, S207), the game manager 500 also shuts itself down (S208). In cases where the operation of the game program 400 is stopped, the decoded game program 400 is immediately deleted from the memory of the user computer 300 and destroyed.

Furthermore, in the case of programs that have already stopped, there is no need to order stopping again. For example, in a case where stopping of the operation of the game program 400 has been confirmed, and the processing has shifted to forcible stop processing, there is no need to order the stopping of the operation of the game program 400 again. Similarly, in a case where the stopping of the operation of the monitoring program 600 has been confirmed, and the processing has shifted to forcible stop processing, there is no need to order the stopping of the operation of the monitoring program 600 again. However, stopping of the operation of both the game program 400 and monitoring program 600 may be order to ensure stopping.

The same is true of the processing of the monitoring program 600. When the monitoring time arrives (S221: YES), the monitoring program 600 respectively monitors the operating conditions of the game manager 500 and game program 400 (S222 through S225), and in cases where either of these has stopped operating (S223: NO, or S225: NO), the monitoring program 600 shifts to forcible stop processing, and shuts down all of the programs (S226 through S228).

Thus, since a plurality of operating monitoring programs, i.e., the game manager 500 and monitoring program 600, monitor the operating conditions of the game program 400, and also monitor each other, the stopping of the operation of the game program 400 can be more reliably detected. Furthermore, even in cases where one of the operation monitoring programs is intentionally shut down, the other monitoring program can perform an overall shutdown, so that improper copying of the game program 400 opened in the memory of the user computer 300 can be prevented in advance.

In the present embodiment, as was described above in detail, periodic on-line verification is performed between the game manager 500 that controls the operation of the game program 400 and the DRM [conversion] computer 200 that performs license verification; accordingly, the durability against improper use can be increased.

Furthermore, since this periodic on-line verification is performed by comparing session IDs, this can be accomplished by relatively simple processing. Accordingly, a simple verification can be performed in a relatively short time without increasing the burden on the computers, and security can be maintained over a long period of time.

In addition, the timing at which this simple on-line verification is performed (i.e., the reporting period) is actively controlled on the basis of the load conditions of the DRM [conversion] computer 200 and the like; accordingly, higher security can be realized while taking into account the network traffic, computer load and the like.

Moreover, a construction is used in which two respectively independent operation monitoring programs, i.e., the game manager 500 and monitoring program 600, are prepared, and these programs can monitor not only the operating conditions of the game program 400, but also each other, so that in cases where even one of the programs, i.e., the game program 400, game manager 500 or monitoring program 600, stops operating, the operation of the other two programs can also be stopped, and the game program 400 can be disabled by being deleted or the like; accordingly, actions such as the improper read-out and copying of the game program 400 opened in the memory can be prevented, and reliability can be further heightened.

Next, FIG. 13 shows still another embodiment of the present invention. This embodiment has a construction in which mutual monitoring by a plurality of monitoring programs and periodic on-line verification with a verification computer are realized in the first embodiment.

In this embodiment, a game program 40, execution control program 50A and monitoring program 60 are distributed to a user computer 30 from a distribution computer 10.

In addition to the construction and effects of the abovementioned execution control program 50, the execution control program 50A comprises an easy periodic on-line verification function and a monitoring function that are performed by the abovementioned game manager 500. Furthermore, the monitoring program 60 comprises a monitoring function similar to that of the abovementioned monitoring program 600.

The execution control program 50A performs decoding of the game program 40 and the like by means of an initial user verification. Furthermore, the execution control program 50A also performs user verification during the execution of the game program 40 by periodically transmitting a session ID to the to the verification computer 20. In cases where the user verification is successful, the execution control program 50A permits continuous execution of the game program 40, while in cases where the user verification fails, the execution control program 50A forcibly ends the game program 40.

Furthermore, the execution control program 50A and monitoring program 60 both monitor the starting conditions of the game program 40, and also respectively monitor each other. Moreover, in cases where even one of the programs, i.e., the game program 40, execution control program 50A or monitoring program 60, ends, the execution control program 50A or monitoring program 60 detects this, and shuts down the remaining programs and itself.

Furthermore, the respective embodiments of the present invention described above are examples used to describe the present invention; the scope of the present invention is not limited to these embodiments alone. A person skilled in the art can work the present invention in various aspects without departing from the spirit of the present invention. 

1. A software execution control system which updates first software installed in a user computer to second software, comprising: a distribution part which distributes said second software that is encoded and an execution control program for controlling the execution of said second software to said user computer via a communications network; and a verification part which performs user verification by a request from said execution control program installed in said user computer, and which transmits specified information that is required in order to decode and start said second software to said execution control program via said communications network in cases where it is confirmed that the user is a valid user; wherein said second software is constructed so that this software can be started only by the starting information that is transferred from said execution control program; and said execution control program is constructed so as to: (1) decode said encoded second software on the basis of said specified information received from said verification part, and substitute this second software for said first software; (2) start said second software by creating starting information on the basis of said specified information; and (3) disable said second software when the execution of said second software is completed.
 2. The software execution control system according to claim 1, wherein said execution control program is constructed so that this program can handle a plurality of different types of second software, and said specified information that is transmitted to said execution control program by said verification part includes storage destination address information and a starting argument for the second software to be started, and decoding key information for decoding the second software.
 3. The software execution control system according to claim 1, wherein said execution control program transmits verification information including machine information that is specific to said user computer and encrypting key information to said verification part, said verification part performs user verification on the basis of at least said machine information, said verification part encrypts said specified information by means of said encrypting key information and transmits this information to said execution control program via said communications network in cases where it is confirmed that said user is a valid user, and a plurality of sets of said machine information can be registered in said verification part.
 4. The software execution control system according to claim 1, wherein in cases where it is confirmed that said user is a valid user, said verification part transmits list data of second software that can be started by this user, and transmits said specified information relating to second software selected from said list data to said execution control program via said communications network.
 5. The software execution control system according to claim 1, wherein said execution control program is a program that realizes, in said user computer, a function that acquires machine information specific to said user computer, a function that creates encrypting key information, a function that requests user verification from said verification part, and transmits at least said machine information and said encrypting key information to said verification part, a function which allows the user to select one type of second software from the list data of second software that can be started which is received from said verification part, and which notifies said verification part of the selected second software, a function which receives specified information that is formed by encrypting the storage destination address information, starting argument and decoding key information of said selected second software in said user computer by means of at least said encrypting key information, a function which decrypts said encrypted specified information by means of at least said encrypting key information, a function which decodes the second software inside said user computer by means of said decrypted decoding key information, a function which creates said starting information on the basis of said decrypted starting argument and said storage destination address information, a function which starts said decoded second software by means of said created starting information, and a function which monitors the conditions of execution of said started second software, and which disables said second software when the execution of this second software is completed.
 6. The software execution control system according to claim 1, wherein said second software includes a program and an accompanying data group, and said program or said accompanying data group, or both, are updated.
 7. The software execution control system according to claim 1, wherein said first software installed in said user computer can be executed without undergoing verification by means of said verification part until this first software is replaced by said second software.
 8. The software execution control system according to claim 1, wherein said execution control program disables said second software by deleting all or part of said second software when the execution of said second software is completed.
 9. The software execution control system according to claim 1, wherein said second software includes a program and an accompanying data group, and said execution control program disables only said program of said decoded second software while the encoding data of said second software is saved when the execution of said second software is completed.
 10. The software execution control system according to claim 1, wherein said execution control program is constructed as a program that cannot be forcibly ended separately from said second software.
 11. The software execution control system according to claim 1, wherein said distribution part and said verification part are realized in respectively separate computers.
 12. The software execution control system according to claim 1, wherein said execution control program performs periodic or non-periodic user verification with said verification part during the execution of said second software, and forcibly ends [the execution of] said second software in cases where this user verification fails.
 13. The software execution control system according to claim 12, wherein the periodic or non-periodic user verification that is performed during the execution of said second software can be variably controlled with at least the predicted future load conditions of the verification computer being taken into account.
 14. The software execution control system according to claim 1, wherein said distribution part distributes a monitoring program to said user computer together with said second software and said execution control program, said monitoring program respectively monitors the operating conditions of said second software and said execution control program, and respectively shuts down said second software and said execution control program, and also shuts itself down, in cases where either said second software or said execution control program stops operating, and said execution control program respectively monitors the operating conditions of said second software and said monitoring program, and respectively shuts down said second software and said monitoring program, and also shuts itself down, in cases where either said second software or said monitoring program stops operating.
 15. A software execution control program which updates first software installed in a user computer to second software, and which controls the execution of this second software, wherein said execution control program realizes, in said user computer, a first function which communicates with an external verification part via a communications network, and requests user verification, a second function which creates starting information for starting said second software on the basis of specified information received from said verification part, a third function which decodes said second software on the basis of the specified information that is received from said verification part, a fourth function which replaces the software prior to updating that has already been installed in said user computer with said decoded second software, a fifth function which starts said second software by means of said created starting information, and a sixth function which monitors the conditions of execution of said second software, and which disables said second software when the execution of said second software is completed.
 16. The software execution control program according to claim 15, wherein said second software includes a program and an accompanying data group, and said fourth function replaces either said program or said accompanying data group, or both.
 17. The software execution control program according to claim 16, wherein the software prior to updating that has already been installed in said user computer can be executed without undergoing verification by means of said verification part before being replaced with said second software by said fourth function.
 18. The software execution control program according to claim 17, wherein said sixth function disables said second software by deleting all or part of said second software when the execution of said second software is completed.
 19. The software execution control program according to claim 17, wherein said second software includes a program and an accompanying data group, and said sixth function disables only said program of said decoded second software while saving the encoding data of said second software, when the execution of said second software is completed.
 20. The software execution control program according to claim 15, wherein said execution control program is constructed as a program that cannot be forcibly ended separately from said second software.
 21. A software execution control program which updates software that is installed in a user computer to second software, and controls the execution of this second software, wherein said software execution control program realizes, in said user computer, a function which acquires machine information that is specific to said user computer, a function which creates encrypting key information, a function which requests user verification from an external verification part, and which transmits at least said machine information and said encrypting key information to said verification part, a function which allows the user to select one set of second software from the list data of second software that can be started which is received from said verification part, and which notifies said verification part of the selected second software, a function which receives specified information that is formed by encrypting storage destination address information, a starting argument and decoding key information of said selected second software in said user computer by means of said encrypting key information, a function which decrypts said encrypted specified information by means of at least said encrypting key information, a function which decodes the second software inside said user computer by means of said decrypted decoding key information, a function which creates said starting information on the basis of said decrypted starting argument and said storage destination address information, a function which starts said decoded second software by means of said created starting information, and a function which monitors the conditions of execution of said started second software, and which disables said second software when the execution of said second software is completed.
 22. A software updating method comprising: a step in which a user is notified that the freely usable first software installed in a user computer can be updated to second software; a step in which said user computer is connected via a communications network to a distribution computer that distributes said second software, and updating to said second software is requested; a step in which said second software that is encoded and an execution control program for controlling the execution of said second software are transmitted from said distribution computer to said user computer via [said] communications network; a step in which said user computer and a verification computer are connected via said communications network, and user verification is requested from said verification computer, by said execution control program started in said user computer; a step in which said second software is decoded on the basis of specified information that is transmitted from said verification computer to said user computer in cases where it is confirmed as a result of said user verification that said user is a valid user; a step in which starting information for starting said second software is created on the basis of said specified information that is received from said verification computer; a step in which said second software is started by means of said created starting information; and a step in which the execution of said started second software is monitored, and said second software is disabled when the execution of said second software is completed.
 23. A computer comprising: a verification part which performs user verification in accordance with a request from an execution control program that is installed in a user computer together with second software that replaces first software; and an information transmission part which transmits specified information that is required in order to decode and start said second software to said execution control program in cases where it is confirmed by said verification part that the user is a valid user; wherein said second software is constructed so that this software can be started only by starting information that is transferred from said execution control program; and said execution control program is constructed so that (1) said encoded second software is decoded on the basis of said specified information that is received from said verification part, and is substituted for said first software; (2) said second software is started by creating starting information on the basis of said specified information; and (3) said second software is disabled when the execution of said second software is completed.
 24. A management computer which controls the operation of an execution control program by performing communications with said execution control program, which is installed in a user computer together with application software and a monitoring program, said management computer comprising: a verification part which performs user verification on the basis of a request from said execution control program; an information transmission part which transmits first information that is required for said execution control program to start said application software to said execution control program in cases where it is confirmed by said verification part that the user is a valid user; and a continued-execution management part which manages whether or not continuation of the execution of said application software is permitted on the basis of continuation confirmation communications performed with said execution control program at a specified time.
 25. The management computer according to claim 24, wherein said continued-execution management part compares first identification information acquired from said execution control program and second identification information associated beforehand with said user verification by means of said continuation confirmation communications, allows said execution control program to continue the execution of said application software in cases where both sets of identification information correspond, and prohibits said execution control program from continuing the execution of said application software in cases where said respective sets of identification information do not correspond.
 26. The management computer according to claim 25, wherein said continued-execution management part sets said first identification information corresponding to said second identification information in said execution control program beforehand.
 27. The management computer according to claim 24, wherein said continued-execution management part sets said specified time in said execution control program beforehand, and causes said continuation confirmation communications to be performed from said execution control program to said continued-execution management part when this preset specified time arrives.
 28. The management computer according to claim 24, wherein said continued-execution management part can variably set said specified time.
 29. The management computer according to claim 28, wherein said continued-execution management part can variably set said specified time while taking into account at least the predicted future load conditions.
 30. The management computer according to claim 24, wherein said monitoring program respectively monitors the operating conditions of said application software and said execution control program, and respectively shuts down said application software and said execution control program, and also shuts itself down, in cases where either said application software or said execution control program stops operating, and said execution control program respectively monitors the operation conditions of said application software and said monitoring program, and respectively shuts down said application software and said monitoring program, and also shuts itself down, in cases where either said application software or said monitoring program stops operating.
 31. A software execution control system comprising a user computer in which application software is executed, and a management computer which manages the execution of said application software, wherein said user computer is provided with an execution control part for controlling the execution of said application software, and a monitoring part for monitoring the operation of said application software and said execution control part, and said management computer is provided with a verification part which performs user verification on the basis of requests from said execution control part, an information transmission part which transmits first information that is required for said execution control part to start said application software to said execution control part in cases where it is confirmed by said verification part that the user is a valid user, and a continued-execution management part which manages whether or not continuation of the execution of said application software is permitted on the basis of continuation confirmation communications that are performed with said execution control part at a specified time.
 32. A computer program for causing a computer to function as an execution control part that controls the execution of application software, and as a monitoring part that respectively monitors the operating conditions of said application software and said execution control part, wherein said execution control part comprises a function in which user verification is requested by communicating with a management computer, a function in which said application software is started on the basis of first information received from said management computer, a function in which continuation confirmation communications are performed with said management computer, and a function in which the operation of said application software is stopped in cases where continuation of the execution of said application software is prohibited as a result of said continuation confirmation communications, and said monitoring part comprises a function in which the operating conditions of said application software and said execution control part are respectively monitored, and a function in which said application software and said execution control part are respectively shut down, and the monitoring part itself is also shut down, in cases where either said application software or said execution control part stops operating.
 33. The computer program according to claim 32, wherein said execution control part further comprises a function in which the operating conditions of said application software and said monitoring part are respectively monitored, and a function in which said application software and said monitoring part are respectively shut down, and said execution control part itself is also shut down, in cases where either said application software or said monitoring part stops operating.
 34. The computer program according to claim 32, wherein the function of said execution control part that performs continuation confirmation communications transmits first identification information that is preset by said management computer to said management computer at a specified time that is preset by said management computer.
 35. The computer program according to claim 34, wherein said specified time is variably set by said management computer each time that said continuation confirmation communications are performed.
 36. The computer program according to claim 32, wherein said application software, said execution control part and said monitoring part are recorded on the same recording medium and circulated [on the market]. 